Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

AuthN Type NumberAuthentication FactorResistance to Threat
Theft
  (Phishing, etc.)
Theft via Dynamic MITM  PhishingGuessing / Offline CrackingMFA Device
 Compromise
User Workstation Compromise
1PasswordLowLowDependsn/aLow
2Phone call - See Voice Requirements see Voice Restrictions, note 1LowLowHighLowHigh
3Phone call (VoIP) See see Additional
 VoIP VoIP Restrictions, note 2
LowLowMediumLowHigh
4SMSLowLowHighLowHigh
5SMS (VoIP) See see Additional
VoIP restrictions, note 2
LowLowMediumLowHigh
6HOTP cell phone software see notes 1 and 3MediumLowHighMediumHigh
7TOTP cell phone software see notes1 notes 1 and 3MediumLowHighMediumHigh
8HOTP tokenMediumLowHighHighHigh
9TOTP tokenMediumLowHighHighHigh
10HOTP written (back up codes)LowLowHighHighLow
11DUO Push see note 3HighLowHighMediumHigh
12FIDO U2F token with passwordHighHighHighHighHigh
13PKI device certificate with
  device password
HighHighHighHighMedium
14PKI token certificate with token
  password
HighHighHighHighHigh

...

The Standard MFA Profile that we are developing now focuses on simple passwords no longer being sufficient in a modern world full of phishing threats.  The Stronger MFA profile column would be for some future work to support an overall higher LoA, likely coupled with corresponding Identity Proofing requirements.  Its It's helpful to see how the two might differ in their technology requirements.

...